HDFS Extended ACLs

HDFS supports POSIX Access Control Lists (ACLs), as well as the traditional POSIX permissions model already supported. ACLs control access of HDFS files by providing a way to set
different permissions for specific named users or named groups. They enhance the traditional permissions model by allowing users to define access control for arbitrary combinations of users and
groups instead of a single owner/user or a single group.

Enabling HDFS Access Control Lists

Important: Ensure that all users and groups resolve on the NameNode for ACLs to work as expected.

Enabling HDFS ACLs Using Cloudera Manager

Go to the Cloudera Manager Admin Console and navigate to the HDFS service.

Click the Configuration tab.

Select Scope > Service_name
(Service-Wide)

Select Category > Security

Locate the Enable Access Control Lists property and select its checkbox to enable HDFS ACLs.

Click Save Changes to commit the changes.

Enabling HDFS ACLs Using the Command Line

To enable ACLs using the command line, set the dfs.namenode.acls.enabled property to true in the NameNode's hdfs-site.xml.

Commands

To set and get file access control lists (ACLs), use the file system shell commands, setfacl and getfacl.

getfacl

hdfs dfs -getfacl [-R] <path>
<!-- COMMAND OPTIONS
<path>: Path to the file or directory for which ACLs should be listed.
-R: Use this option to recursively list ACLs for all files and directories.
-->

setfacl

hdfs dfs -setfacl [-R] [-b|-k -m|-x <acl_spec> <path>]|[--set <acl_spec> <path>]
<!-- COMMAND OPTIONS
<path>: Path to the file or directory for which ACLs should be set.
-R: Use this option to recursively list ACLs for all files and directories.
-b: Revoke all permissions except the base ACLs for user, groups and others.
-k: Remove the default ACL.
-m: Add new permissions to the ACL with this option. Does not affect existing permissions.
-x: Remove only the ACL specified.
<acl_spec>: Comma-separated list of ACL permissions.
--set: Use this option to completely replace the existing ACL for the path specified.
Previous ACL entries will no longer apply.
-->

HDFS Extended ACL Example

This example demonstrates how a user ("alice"), shares folder access with colleagues from another team ("hadoopdev"), so that the hadoopdev team can collaborate on the content of that
folder; this is accomplished by updating the default extended ACL of that directory:

Make the files and sub-directories created within the content directory readable by team "hadoopdev":

$ hdfs dfs -setfacl -m group:hadoopdev:r-x /project

Set the default ACL setting for the parent directory:

$ hdfs dfs -setfacl -m default:group:hadoopdev:r-x /project

Create a sub-directory for the content you wish to share:

$ hdfs dfs -mkdir /project/dev

Inspect the new sub-directory ACLs to verify that HDFS has applied the new default values:

Note: At the time it is created, the default ACL is copied from the parent directory to the child directory. Subsequent changes to the parent
directory default ACL do not change the ACLs of the existing child directories.

If this documentation includes code, including but not limited to, code examples, Cloudera makes this available to you under the terms of the Apache License, Version 2.0, including any required
notices. A copy of the Apache License Version 2.0 can be found here.